[2/3,v3] Unbound: Use caps for IDs

Message ID 2203e7aa-b981-228c-4cf2-f65ccc9a10a8@link38.eu
State Superseded
Headers
Series [1/3,v3] Unbound: Enable DNS cache poisoning mitigation |

Commit Message

Peter Müller Aug. 28, 2018, 1:29 a.m. UTC
  Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
random bits into upstream queries. Upstream documentation claims
it to be an experimental implementation, it did not cause any trouble
on productive systems here.

See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
further details.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 config/unbound/unbound.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
  

Patch

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index fa2ca3fd4..8b5d34ee3 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -59,7 +59,7 @@  server:
 	harden-below-nxdomain: yes
 	harden-referral-path: yes
 	harden-algo-downgrade: no
-	use-caps-for-id: no
+	use-caps-for-id: yes
 
 	# Harden against DNS cache poisoning
 	unwanted-reply-threshold: 5000000